Qilin

Threat Actor updated 22 days ago (2024-11-29T13:52:25.072Z)

Download STIX

Preview STIX

Qilin, a threat actor known for its malicious activities in the cyberspace, has been on the rise with an increase in victim count by 44% reaching 140 in Q3. This group is part of the Octo Tempest group which recently added RansomHub and Qilin ransomware to its arsenal, enhancing its capabilities to launch more sophisticated attacks. Notably, Qilin has demonstrated its potency through a successful attack on automotive giant Yanfeng using its namesake ransomware. Furthermore, researchers have discovered a new variant of the Qilin ransomware, dubbed Qilin.B, that exhibits advanced encryption techniques and enhanced defense evasion capabilities, targeting both Windows and Linux systems for double extortion schemes. Qilin's operations are multifaceted and often involve partnerships with initial access brokers (IABs) to execute their attacks. In one observed case, the Qilin ransomware gang breached its target via a VPN portal, demonstrating their advanced tactics. Despite this, the group has not been without setbacks. The rise of RansomHub seems to have come at the expense of LockBit, which had three times more successful attacks than Qilin in the second quarter. However, the fortunes of Qilin appear to be improving as they continue to expand their reach and improve their tactics. The group has also faced legal challenges. In August, Synnovis obtained a preliminary injunction from the English High Court against the Qilin ransomware group, Telegram, and a leak site to prevent the publication of stolen data. Following this injunction, Telegram blocked the channel used by Qilin to leak the data stolen from victims. Despite these obstacles, Qilin continues to pose a significant threat, as evidenced by an incident in June where the group published stolen data on its Tor leak site. As such, organizations must remain vigilant and proactive in their cybersecurity efforts to counteract the evolving threat posed by Qilin.

Description last updated: 2024-10-29T20:12:48.378Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Ransomhub is a possible alias for Qilin. RansomHub, a threat actor in the realm of cybersecurity, has emerged as a significant player within the ransomware landscape. The group is known for its malicious activities, including data breaches and extortion attempts. It has been observed that RansomHub affiliates actively participate in campai	3
Octo Tempest is a possible alias for Qilin. Octo Tempest, also known as Scattered Spider or 0ktapus, is a notable threat actor group in the cybercrime landscape. The group, comprised of five individuals in their early 20s, has been linked to major data extortion campaigns against high-profile targets such as Caesars Entertainment and MGM, oft	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Extortion

RaaS

Malware

Linux

Credentials

Ransom

Encryption

Chrome

Vpn

Data Leak

Cybercrime

Phishing

Windows

Esxi

Rust

Nhs

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Lockbit Malware is associated with Qilin. LockBit is a prominent ransomware-as-a-service (RaaS) malware that has been involved in numerous cyberattacks, demonstrating its staying power and adaptability. The malware, which can infiltrate systems through suspicious downloads, emails, or websites, is designed to exploit and damage computers or	Unspecified	4
The Black Basta Malware is associated with Qilin. Black Basta is a notorious malware group known for its sophisticated ransomware attacks, which have targeted numerous high-profile entities. The group has demonstrated a remarkable ability to adapt their tactics, techniques, and procedures (TTPs), allowing them to effectively evade security defenses	Unspecified	2
The Hive Malware is associated with Qilin. Hive is a form of malware, specifically ransomware, designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, Hive can steal personal information, disrupt operations, or hold data hostag	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Alphv Threat Actor is associated with Qilin. Alphv, also known as BlackCat, is a threat actor group that has been linked to numerous cyberattacks, particularly targeting the healthcare sector. The group made headlines when it stole 5TB of data from Morrison Community Hospital, causing significant disruption and raising concerns about patient p	Unspecified	3
The BianLian Threat Actor is associated with Qilin. BianLian is a threat actor that has been active in cybercrime, leveraging various techniques for malicious intent. Prior to January 2024, the group used an encryptor (encryptor.exe) that modified all encrypted files to have the .bianlian extension and created a ransom note in each affected directory	Unspecified	2
The Scattered Spider Threat Actor is associated with Qilin. Scattered Spider, also known as Octo Tempest, 0ktapus, and UNC3944, is a notorious threat actor group involved in major data extortion campaigns. This cybercriminal group has been associated with high-profile attacks on organizations like Caesars Entertainment and MGM, often in collaboration with th	Unspecified	2

Source Document References

Information about the Qilin Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Checkpoint	2 months ago	28th October – Threat Intelligence Report - Check Point Research
InfoSecurity-magazine	2 months ago	RansomHub Overtakes LockBit as Most Prolific Ransomware Group
Securityaffairs	3 months ago	Security Affairs newsletter Round 491 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	3 months ago	Security Affairs newsletter Round 490 by Pierluigi Paganini – INTERNATIONAL EDITION
DARKReading	3 months ago	Infostealers: An Early Warning for Ransomware Attacks
Securityaffairs	3 months ago	Qilin ransomware attack on Synnovis impacted over 900K patients
DARKReading	3 months ago	Socially Savvy Scattered Spider Traps Cloud Admins in Web
Malwarebytes	4 months ago	CODAC Behavioral Healthcare, US Marshalls are latest ransomware targets \| Malwarebytes
Checkpoint	4 months ago	26th August – Threat Intelligence Report - Check Point Research
Securityaffairs	4 months ago	Qilin ransomware steals credentials stored in Google Chrome
Securityaffairs	4 months ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
InfoSecurity-magazine	4 months ago	#BHUSA: 17.8m Phishing Emails Detected in First Half of 2024
Securityaffairs	5 months ago	security-affairs-malware-newsletter-round-5
BankInfoSecurity	5 months ago	Synnovis Attack Halts 8,000 NHS Patient Procedures So Far
Securityaffairs	5 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	5 months ago	Security Affairs newsletter Round 481 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	5 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	5 months ago	Security Affairs newsletter Round 481 by Pierluigi Paganini – INTERNATIONAL EDITION
InfoSecurity-magazine	5 months ago	Qilin Ransomware’s Sophisticated Tactics Unveiled By Experts
Securityaffairs	5 months ago	Octo Tempest group adds RansomHub and Qilin ransomware to its arsenal